Homeland  Security  Program 
Technical  Specification 


1 


20060512TP-HOSP 


Ind. 02 


Pages:  62 

11  November  2006 


Homeland  Security  Program 
Technical  Specification 


Public  Safety  Systems 
And 

Passport  Network 
Of 

The  Great  Libyan  Arab  Jamahiriya 


Homeland  Security  Program 
Technical  Specification 


2 


20060512TP-HOSP 


Ind. 02 


TABLE  OF  CONTENT 


The  table  of  contents  is  empty  because  none  of  the  paragraph  styles  selected  in  the  Document  Inspector  are 
used  in  the  document. 


Homeland  Security  Program 
Technical  Specification 


3 


20060512TP-HOSP 


Ind. 02 


1.  OBJECT  OF  THTS  DOCUMENT 

This  document  is  our  technical  specificationl  for  your  homeland  security  project.  It  covers  all  aspects 
discussed  between  the  various  teams  of  experts  from  your  organisation  and  our  company. 

More  specifically,  it  addresses: 

Communication  and  data  protection  (mobile  and  fixed  lines,  e-mail,  computer  exchanges,  computer 
protection) 

Communication  and  data  interception  (same  perimeter  as  above,. . .) 

Localisation  of  GSM,  activation 

Protection  of  VIP  against  remote  controlled  aggression 


2.  APPLICABLE  DOCUMENTS  AND  REFERENCES 

2.1. APPLICABLE  DOCUMENT 

None 

2.2. REFERENCE 

Our  visit  in  Libya  on  the  10th  and  the  1 1th  of  May  and  your  visit  in  i2e. 


3.  TERMINOLOGY 


Terme 

Definition 

ECC 

Elliptical  Curve  Cryptography 

VPN 

Virtual  Private  Network 

LAN 

Local  Area  Network 

PSTN 

Public  Switching  Telephone  Network 
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4.  PRESENTATION  OF  T2E  TKCIINOI  PCI  I S 

i2e  Technologies  belongs  to  the  CRESCENDO  group  briefly  presented  below. 

4.1.CRESCENDO  INDUSTRIES 


CRESCENDO  Group: 

♦ 600  employees 

♦ More  than  450  engineers 

♦ 3 Offers:  Service,  Engineering,  Products 

4.2.PRESENTATION  OF  THE  I2E  TECHNOLOGIES  COMPANY 


i2e  Technologies  core  business  is  to  develop  electric,  electronic  and  computing  solutions  to  satisfy  specific 
client’s  needs. 
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i2e  Technologies  is  organized  in  4 Business  units  : 

♦ Defence,  Telecom  and  Aerospace 

♦ Transportation  and  Supply  Chain, 

♦ Energy  et  Industry, 

♦ Network  and  Security. 

Our  mission  is  to  thouroughly  harness  all  types  of  technologies  and  combine  them  to  create  custumer’s 
solutions  : 

♦ Analog  and  microwave  frequency  electonics, 

♦ High  speed  digital  electronics, 

♦ Secure  an  rugged  on-board  technologies, 

♦ Real  time  data  processing, 

♦ Distributed  data  processing  : n-tier  architecture,  data  bases, 

♦ Signal  processiong 

♦ Radio  communication 

♦ Process  control,  automation  and  supervision 

♦ Security  software,  biometry  and  cryptography, 

I2e  mission  is  to  deliver  the  best  solutions  to  fully  satisfy  client  objectives,  I2e  will  is  to  develop  also  a 
culture  of  durable  partnership  with  its  client. 

Our  strong  points  are: 

♦ The  organisation  and  of  an  High  technology  company 

♦ Development  and  engineering  capacity 

♦ The  commitment,  the  flexibility  and  the  reactivity  of  a medium  size  business 

♦ A heritage  of  high  technology  for  more  than  25  years. 


The  performance  and  the  know-how  of  i2e  Technologies  is  well-known  from  industrials  and  this  position 
provides  an  major  role  in  outsourcing  research  and  development  as  well  as  equipment  production. 
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Turn  over  evolution 


(est.) 


History  of  i2e  Technologies 


1979:  Creation  of  I2e  by  Mr  Marcellet 
I2e  is  specialized  in  COMINT 

1990: 12e  is  designated  4 times  in  the  top  100 
of  innovative  companies 

1991: 12e  settle  down  in  a 9 hectares  park  in 
Aix-en-Provence 


70’s 

^ m 

80’s 

1987: 12e  received  the  performance  price 

1988: 12e  received  the  price  of  the  most 
dynamic  company 


1995:  Mr  Marcellet  is  elected  as  the  manager 
of  the  year 

1996  : 12e  is  certified  Iso  9001 


2003: 12e  acquired  Stella,  specialised  in  the 
RFID 

2004:  Crescendo  took  over  I2e 


2005: 12e  is  reorganised  in  strategic  business 
Units:  Energy,  Defence,  Transportation  and 
Security 


1992:  BEN  and  ENTEC  Companies  joined 
i2e 


1997:  i2e  is  certified  AQ API  10 
1998:  i2e  acquired  Digilog 


2000:  i2e  is  certified  ISO  9001 
2001:  i2e  acquired  the  ICS  Company 


2004:  Mr  Vannier  became  the  Chief 
Executive 


2006 
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4.3.  QUALITY  MANAGEMENT 
4.3.1. Certification  and  audits  from  customers 

Since  December  1999,  i2e  Technologies  is  certified  ISO  9001  (version  2000)  by  the  BVQI.  Its  last  renewal 
dates  is  on  December  2005. 

Since  September  2005,  i2e  Technologies  is  certified  EN  9100  by  ALCATEL  ALENIA  SPACE,  thus  I2e 
Technologies  is  identified  in  the  QUALIFAS  data  base. 

I2e  Technologies  is  starting  the  certification  process  ISO  14001  (Environmental  Management  system). 

I2e  Technologies  is  regularly  audited  by  its  clients  like  the  Ministry  of  Defence,  THALES,  GIAT  Industries, 
RATP,  COGEMA  . . . 

4.3.2. Organisation  and  Quality  DEPARTMENT  (OP) 

The  Organisation  and  quality  department  is  made  up  by: 

♦ 1 Quality  Director, 

♦ 1 Software  Quality  Manager, 

♦ 1 Hardware  Quality  Manager 

♦ 2 Quality  controller  (electronic  and  mechanic) 

4.3.3.PRINCIPAL  MISSIONS  OF  THE  OP 

♦ About  projects  : 

o Establish  the  quality  plan’s  project  in  accordance  with  the  Project  Manager 
o Assure  the  quality  supervising  during  the  work  in  progress 
o Animate  the  pilot  comities, 

♦ About  the  company  : 

o Manage  the  anomalies  reports,  waiver  demands,  conformity  certificates,  obsolescence,  preventive 
and  corrective  actions  processing, 

o Conducting  internal  audits, 
o Deal  with  clients  satisfaction  surveys, 

4.3. 4. Operational  process 

Operational  processes  of  i2e  Technologies  are  articulated  around: 

♦ Projects, 

♦ Products, 

All  these  process  are  documented  and  completed  by  indicators. 
i2e  Technologies  has  : 

♦ A quality  manual  describing  all  the  methods  and  rules, 

♦ Organisation  document  and  position  describing, 

♦ Quality  plan  on  every  project, 

♦ Internal  procedures  (Who  does  What  and  How), 

♦ Practical  guides, 

♦ Quality  records. 
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5.  PTTBT  JC  SAFETY  SYSTEMS  NETWORK  SECTTRTZATION 


5.1. YOUR  SYSTEM,  DESCRIPTION  OF  EXISTING  ARCHITECTURE 

You  will  find  below  your  existing  architecture: 


Central  System 


Network 


LAN  2 LAN  6 *rS, 

and  user  with  PCs  in  the  Local  Area  Network.  All  of  those  are  linked  by  optical  fiber.  In  the  main  central  site, 
you  use  3Com  3300  switches  and  Cisco  2600  Routers. 

All  the  remote  sites  are  composed  by  a Compaq  server  and  a LAN  of  PCs.  Again,  here  you  use  3Com  3300 
switches.  In  each  site  there  are  3 to  10  PCs.  The  PCs  are  Pentium  4 running  under  Windows  2000  Server. 
The  server  of  each  remote  site  is  in  fact  a partial  replication  of  the  central  data  base. 

The  remote  users,  who  want  to  connect  to  the  central  sites  are  only  using  their  PCs.  In  this  case,  there  is  no 
server. 


The  transfer  of  information  is  always  done  from  the  remote  sites  to  the  central  system.  Remote  sites  are 
upgrading  main  data  base  but  never  in  the  other  way.  For  the  data  transmission,  protocol  used  is  standard 


TCP-IP. 


5.2.IDENTIFICATION  OF  SECURITY  PROBLEM 
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Today,  all  the  data  transmission  between  the  different  sites  is  done  without  any  encryption  or  protection.  That 
is  to  say  that  a hacker  can  intercept  the  flow  of  data  transmitted  and  access  to  confidential  information. 

What  is  more,  a hacker  may  also  try  to  enter  illegally  in  the  LAN  of  remote  or  main  sites.  If  he  can  do  this, 
he  will  also  have  an  easy  access  to  the  information. 

To  protect  you  from  all  these  threats,  we  will  propose  to  you  the  solution  described  below 

5.3.0UR  PROPOSED  SOLUTION 
5.3.1. 12E  VPN:  CRYPTO-TUNNEL 

As  far  as  remote  secure  network  access  is  concerned,  i2e  offers  2 solutions: 

Crypto  WALL  Crypto-Tunnel  Clients-Server 
Crypto  WALL  Crypto-Tunnel  Point  to  Point 


Crypto-Tunnel  Clients-Server  establishes  secure  connections  between  a server,  generally  located  in  the 
branch  office  of  your  company,  and  the  remote  workstations,  which  need  a link  to  the  Local  Area  Network 
(LAN).  This  software  solution  has  been  designed  to  open  an  access  to  your  company  LAN  for  your  co- 
workers from  all  over  the  world.  Everyone  can  share  all  kind  of  information  with  high  security. 

Crypto-Tunnel  Point  to  Point  is  a software  solution  designed  to  establish  an  encrypted  communication 
tunnel  between  two  or  more  remote  office.  This  tunnel  uses  existing  physical  network,  such  as  Internet,  and 
its  purpose  is  to  secure  all  data  flows  transmitted  between  different  sites  of  the  same  company. 

5.3. 2. Common  features 

Strong  authentication  by  ECC  signature  - Unique  in  the  world 

Thanks  to  a key  exchange  protocol  based  on  Elliptic  Curve  technology,  Crypto-Tunnel  increases  the 
security  of  the  authentication  process. 

Elliptic  Curve  technology  offers  the  most  powerful  cryptographic  protections  of  nowadays  for  a few  reasons: 

Due  to  new  ECC  mathematical  models,  classical  ways  used  to  break  RSA  or  DSA  algorithms  do  not 
work 

Computing  time  with  elliptic  curves  decreases 

Elliptic  curve  keys  use  less  memory  compared  with  RSA  keys  for  the  same  strength  of  protection. 
For  instance,  encrypting  with  a 128  bits  key  ECC  is  as  strength  as  a 1024  bits  key  RSA.  Thus,  ECC 
suits  very  well  smart  cards  needs  or  weak  memory  environments 
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Compliant  with  European  and  international  norms . 

Crypto-Tunnel  is  in  accordance  with  European  and  international  standards,  relative  to  IT  security  which 
guarantee  compatibility  and  upgradeability  of  its  solutions:  digital  certificate  in  X509  V3  for  authentication, 
signature  with  elliptic  curves  (ECDSA)  . . . 


5.3.3. Specific  features 

5.3.3. 1. Crypto WALL  Crypto-Tunnel  Clients-Server 

The  Crypto-Tunnel  system  provides  secure  data  transmission  between  a local  network  and  client 
remote  workstations,  wherever  they  are. 

Access  to  encrypted  data  running  on  the  network  will  be  impossible  for  hackers  or  intruders.  An  encrypted 
point  to  point  link  is  established  between  branch  office  and  mobile  stations  whatever  transmission  media  is 
used:  Ethernet,  WIFI,  Bluetooth,  IRDA  . . . 

Crypto-Tunnel  acts  as  a firewall  to  prevent  any  kind  of  intrusion 

The  client  workstation  software  is  integrated  into  Microsoft  Windows  kernel  to  control  and  protect  all  input 
and  output  network  flows.  So,  during  a secure  communication,  all  network  ports  are  closed  except  the 
encrypted  one. 

The  server  software  also  features  an  intrusion  detection  technology.  It  makes  your  server  more  secure  and 
insensitive  to  attacks  like:  Man-in-the-middle,  rebound  attacks,  Spoofing,  Flooding,  etc. 

Smart  card  authentication 

To  use  the  client,  one  needs  a smart  card  USB  key  potected  by  PIN  to  open  the  tunnel  with  the  remote  server. 
This  smart  card  contains  personal  data  needed  to  authenticate  oneself  and  used  to  establish  a personal  secure 
communication  with  the  server. 

5.3.3.2. CryptoWALL  Crypto-Tunnel  Point  to  Point 

Crypto  WALL  Crypto-Tunnel  Point  to  Point  offers  a high  level  of  security  to  interconnect  distant  offices 
and  business  partners  by  creating  a secure  tunnel  through  Internet  independent  from  the  physical  media 
crossed:  Ethernet,  WIFI,  Bluetooth,  IRDA,  . . . 

Thanks  to  this  software,  data  are  always  encrypted  on  the  network,  and  cannot  be  read.  A hacker  can  never 
intercept  critical  data  from  your  company.  You  work  with  optimal  security. 

No  specific  configuration  is  required  and  the  system  is  transparent  for  users.  Each  user  keeps  his  or  her  usual 
working  comfort.  Crypto-Tunnel  Point  to  Point  provides  secure  use  of  all  standards  applications:  Mail, 
Internet,  voice  communication,  Videoconference  or  any  other  dedicated  application.  The  system  provides 
secure  exchange  of  any  type  of  critical  data  and  protects  integrity  of  the  company  data. 

Crypto-Tunnel  acts  as  a firewall  to  prevent  any  kind  of  intrusion 

Whatever  encryption  algorithm  chosen,  Crypto-Tunnel  Point  to  Point  features  an  intrusion  detection 
technology.  It  makes  your  server  more  secure  and  insensitive  to  attacks  like:  Man-in-the-middle,  rebound 
attacks,  Spoofing,  Flooding,  etc. 


5.3.4.THE  NEW  ARCHITECTURE 

To  protect  all  your  data  transmission  between  the  sites,  we  will  install  the  Crypto-Tunnel  technology  in  each 
site  (remote  and  central)  and  for  every  remote  user  allowed  to  use  the  central  resources. 
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You  will  find  the  new  network  architecture  below: 


Central  System 


Local  Area 
Network 


Server 


Remote  User 


Crypto-Tunnel  Server 


LAN  2 

Tunnel  Client  licence  for  each  remote  user  connected. 


LAN  6 


SERVERS 


LAN  1 


I — © — 


f f 

Archiving 

£ 

& & 

DLT 

Backup  I — @ — I 

Optical  Ffccr 


RAID 
System  — @ — | 


The  entire  securization  will  not  imply  any  modification  in  your  network,  it  will  remain  easy  to  deploy  and 
easy  to  use.  After  deployment,  you  will  continue  working  with  the  same  software  as  before.  The  securization 
layer  will  be  transparent  for  end  users.  They  will  keep  all  their  working  comfort,  without  changing  any  of 
their  habits. 
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5.4.SECURIZATION  OF  EACH  PC:  PC  PROTECT 

PC-Protect  is  a software  solution  allowing  the  creation  of  safe  boxes  on  your  computer  or  external  drives. 
With  this  software  and  with  your  smart  card,  you  will  create  volume  (seen  in  Windows  as  virtual  local 
drives)  that  only  you  will  be  able  to  open.  The  volume  is  encrypted  by  your  personal  key  stored  in  your 
smart  card  and  decrypted  in  real-time  when  you  need  to  access  to  the  confidential  information. 

With  only  one  software  installed  on  your  computer,  you  will  be  able  to  create  as  many  volumes  as  you  want 
and  on  every  kind  of  physical  support  (Flash  USB  Key,  Local  drive,  CD-ROM,  Network  server  . . .). 

Then  all  your  datas  will  be  encrypted  in  every  PC  of  your  network. 

For  more  information  about  this  product,  you  will  find  the  data  sheet  in  Annex  3. 


5.5.SECURIZATION  OF  YOUR  MAIL:  MAIL-PROTECT 

Mail-Protect  is  a software  used  to  protect  the  email  you  send  and  receive.  This  software  encrypts  and  sign 
(with  digital  signature  and  certificates)  your  confidential  emails.  The  encryption  and  signature  protects  you 
against  intercepting  and  reading  your  email,  modifying  them  during  transfer  and  assures  you  that  the  sender 
is  really  the  one  he  pretends  to  be. 

A1  these  protections  are  provided  by  the  use  of  the  smart  card.  You  can  use  the  same  smart  card  if  you  are 
already  a PC-Protect  user.  In  your  smart  card  will  be  stored  your  secret  keys  used  for  encryption. 

For  more  information  about  this  product,  you  will  find  the  data  sheet  in  Annex  4. 

5.6.EXISTING  SOLUTION  PROVIDED  BY  I2E 

All  these  solution  have  already  been  provided  by  i2e  Technologies  to  the  French  Army,  to  the  French 
Ministry  of  Defence  and  to  some  French  big  accounts. 


5.7.PLANNING 


After  approval  for  exportation,  the  delivery  will  be  within  4 months. 
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6.  MOBILE  PHONE  ENCRYPTION  AND  PROTECTION 
6.1.ALTERNATIVE  SOLUTIONS 

Their  are  different  techniques  to  encrypt  a conversation  over  a mobile  phone  (GSM,  GPRS,  ...). 

Encryption  Method 

The  robustness  of  the  encryption  lies  first  on  the  quality  of  the  mathematical  algorithm  used  to 
encrypt.  As  mentioned  before  only  the  elliptical  curves  (ECC)  give  a total  reliability  whereas  the 
RSA/AES  models  are  proven  to  be  easily  breakable. 

I2E  is  the  only  source  to  offer  the  ultimate  ECC  encryption  over  mobile. 

I2E  phones  are  the  only  one  to  assure  a totally  reliable  and  confidential  phone  conversation. 

Communication  canal: 

Beside  the  encryption  method,  the  way  to  transport  the  encrypted  signal  is  also  critical.  The  only 
valid  ones  are  using  the  data  canal  of  the  link.  Of  this  category,  all  are  using  the  data  canal  of  the 
GSM  link.  This  method  has  three  serious  problems : 


a)the  speed  of  the  data  canal  on  the  GSM  is  extremely  limited,  which  means  that,  unless  the 
signal  strenght  is  excellent  and  the  quality  of  the  connection  is  also  excellent, 
communication  are  often  broken  or  scattered.  By  the  same  token,  international 
communication  are  rendered  difficult. 


b) The  second  drawback  of  this  method  is  its  inherent  cost  since  the  communication  are 
invoiced  by  the  amonut  of  information  on  the  data  canal  and  not  by  the  communication  time. 
The  GSM  data  canal  is  very  expensive. 

c) The  last  drawback  is  the  cost  of  these  individual  phones  added  to  the  fact  that  only  two 
exact  same  phones  can  communicate  together. 

I2E  encrypted  phones  (CTOP)  are  totally  different.  They  are  using  the  ultimate  techniques. 

a)  First  CTOP  phones  are  the  only  one  with  ECC  encryption  method. 


b)  Second,  only  these  are  also  using  the  GPRS  communication  canal,  which  is  by  definition 
designed  for  data  transmittion.  Capacity  of  this  canal  is  far  greater  than  the  GSM  data  canal. 
It  means  that  it  allows  information  redundancy  and  avoids  scattered  or  broken 
communications. 


c)  Third,  the  cost  of  data  transfer  over  GPRS  is  by  far  less  costly  than  GSM  data  transfer. 
Costs  of  communication  will  then  be  cheaper. 

d) Lastly,  cost  of  the  encrypted  phones  is  limited  to  the  cost  of  the  software  that  is  added  on 
the  smart  phone  that  the  user  already  has.  It  is  also,  by  definition,  easy  to  change  phones 
after,  since  these  products  evolve  very  rapidly. 
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6.2.THE  EXISTING  SYSTEM:  C-TOP-  SECURE  MOBILE  PHONES 
6.2.1. Voice  protection  over  GPRS 

2 CTOP  users  can  communicate  with  VoIP  over  GRPS  in  full  confidence.  All  their  conversations  are  strongly 
encrypted.  CTOP  is  a Windows  Mobile  application  over  QTEK  9100  smart  phone  under  Windows  CE  5.0. 


6.2.2.SIMPLR  1 1 v aim li  hKtH  m^CURITY 

Whole  CTOP  security  is  entirely  transparent  to  users.  No  knowledge  in  cryptography  or  IT  security  matters 
is  needed  to  use  it.  CTOP  is  very  easy  and  comfortable  to  use.  Nevertheless,  easiness  does  not  mean  low 
security,  since  CTOP  protection  is  based  on  the  ultra  robust  technology  of  elliptic  curves  cryptography. 

Elliptic  curves  technology  provides  security  for: 
authenticating  strongly  CTOP  users 
creating  encryption  key  for  each  communication 

encrypting  communications  between  CTOP  Terminals.  Thus,  encryption  algorithm  is  single  and 
really  strong. 


6.2.3. Architecture  of  CTOP 

Architecture  is  composed  of: 

CTOP  terminals  (GPRS  terminals) 
One  CTOP  server  (on  the  Internet) 


6.2.4.CTOP  Terminal 
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The  CTOP  Terminal  is  used  for  : 

connecting  to  other  CTOP  Terminals 
communicating  in  full  confidence  with  secured  VoIP 

An  intuitive  GUI  enables  CTOP  users  to: 
dial  and  call  other  CTOP  users 
save  numbers,  contacts  in  CTOP  directory 
manage  missed  calls  or  called  number 

manage  classic  phone  features  (micro  or  audio  volume,  calling  number  displaying,  mute  mode) 

6.2.5.CTQP  Server 

This  server  is  used  for  : 

connecting  CTOP  terminals  between  themselves 

enabling  CTOP  terminals  to  communicate  despite  the  NAT  GPRS  providers  problem 
blocking  of  stolen  or  lost  CTOP  terminals 
managing  groups  of  CTOP  users 

authenticating  strongly  CTOP  terminals  that  aim  to  communicate 

This  server  is  strongly  protected  against  all  kinds  of  modem  attacks  such  as  Deny  of  Service  or  Man  in  the 
Middle  Attack  for  instance.  Only  a trusted  administrator  can  access  to  this  server  with  a security  token 
protected  by  a PIN  code. 

Besides,  this  server  is  designed  to  manage  few  hundreds  CTOP  communications  in  the  same  time.  The 
number  of  communications  is  dependant  of  the  Internet  broadband  you  give  to  this  server. 


Note:  in  this  native  solution  it  is  infeasible  to  recover  or  decrypt  communications  between  two  CTOP 
terminals . 
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6.3.THE  SOLUTION  WITH  “MASTER  KEY” 

As  we  said  before,  the  CTOP  solution  is  unbreakable  because: 
there  is  a strong  authentication  for  the  clients. 

the  encryption  algorithm  is  the  best  we  can  find  now  because  based  on  elliptic  curves. 

Without  lowering  all  this  security  features,  we  can  provide  you  a CTOP  system  with  a “master  key”  to 
monitor  all  encrypted  communications. 

6.3.1.  Main  Features 

6.3.1.1. A  MODULE  FOR  MONITORING  COMMUNICATION 

To  answer  to  your  needs,  we  can  provide  you  a module  that  modifies  the  role  of  the  server.  In  the  new 
system,  we  will  give  you  a master  key,  which  will  be  able  to  decrypt  every  CTOP  audio  conversation.  This 
key  will  be  used  on  the  CTOP  central  server,  and  with  it,  you  will  be  able  to  listen  to  audio  conversation 
either  in  live  or  in  differed  time.  The  detailed  use  will  be  explained  on  the  next  scheme. 

6.3.1.2. PROTECTION  OF  THE  MASTER  KEY 

This  key  must  be  protected  with  very  strong  security  policy;  only  authorized  and  accredited  people  will 
have  access  to  this  key  and  to  the  room  where  the  server  stays.  The  key  will  also  be  protected  by  a two- 
people  access  : “CTOP  server”  with  Access  Control  by  secret  sharing  system.  This  means  that  two  different 
people  in  charge  with  their  own  password  must  be  present  at  the  same  time  to  use  this  system. 

6.3.1.3. ROLE  OF  THE  SERVER 

The  server  will,  in  this  solution,  not  only  remain  a network  relay  for  all  voice  communication  packets,  but 
also  become  a recorder  for  all  encrypted  communications.  All  the  encrypted  communications  will  be  saved  in 
a database  on  the  server  with  the  decryption  key,  thus  you  will  be  able  to  listen  to  it  live  or  to  store  it  for  later 
use.  With  this  module,  you  will  also  see  who  is  communicating  with  whom  in  real-time,  because  each  user  is 
authenticated  on  the  central  server. 
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6.3.1.4.GENERAL  SCHEME  OF  WORK 


6.3. 2. Technical  Details 

For  end-users,  there  will  be  no  difference  when  they  use  the  normal  or  the  modified  solution. 

In  terms  of  security,  the  “master  key”  is  also  called  a recovery  key,  because  anyone  in  possession  of  this  one 
can  recover  all  encrypted  information. 

Technically,  each  communication  is  encrypted  with  a different  secret  key.  In  the  modified  solution,  this  secret 
key  will,  in  fact,  be  readable  for  the  owner  of  the  master  key.  The  secret  key  of  each  communication  will  be 
recorded  in  the  central  CTOP  Server  just  like  the  entire  communication.  This  solution  is  the  best  we  can 
provide  to  answer  to  your  need,  because  it  offers  you  a way  to  monitor  encrypted  communication  either  live 
or  in  deferred  time. 


6.4.PLANNING 


After  approval  for  exportation,  the  delivery  will  be  within  5 months 
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7.  LEGAL  GSM  INTERCEPTION 


Beside  all  techniques  here  above  described,  we  suggest  that  you  equip  your  services  with  means  off  legal 
interception  of  GSM.  The  proposed  system  is  capable  of  monitoring  through  the  network,  intercept  and/or 
record  up  to  128  communications  simultaneously.  The  key  parameters  are  described  hereafter. 


7.1.LEGAL  INTERCEPTION  CAPABILITIES 

• Simultaneous  support  of  64  El  interfaces 

• Interception  mode  available  simultaneously  on  GSM-A  and/or  SS7  ISUP 

• Real  Time  monitoring  of  128  Signaling  Time-slots  (GSM-A  / ISUP) 

• Simultaneous  Interception  of  up  to  128  searched  numbers 

• Up  to  128  calls  (Audio  CDRs)  can  be  recorded  at  the  same  time  (i.e.  up  to  128  speech  channels) 

• Beside  the  Audio  CDR  also  the  Signaling  CDR  is  recorded  with  FULL  detail  about  the  call  (source, 
destination,  circuits,  location,  time,  call  duration) 

• ISUP  SS7  searched  numbers  can  be  Calling  Number,  Called  Number 

• GSM-A  searched  number  can  be  Calling  Number,  Called  Number,  IMSI,  TMSI,  IMEI 

• Wild  Cards  are  supported  to  search  for  group  of  numbers. 

• GSM-A  Handover  is  fully  implemented  giving  the  possibility  to  intercept  a mobile  moving  across 
different  BTSs 

• Only  Signaling  CDRs  and  Audio  CDRs  matching  the  interception  criteria  are  stored  in  the  HDD  (for 
long  unattended  interceptions) 

• Signaling  CDRs  and  Audio  CDRs  are  stored  locally  in  a proprietary  format  for  security  reasons. 

• Extended  filtering  capabilities  are  available  to  search  the  database  of  recorded  calls. 


Multiple  Clients/Users 
can  access  the  unit  and 
select  which  numbers 
shall  be  intercepted 
and  listened  to  the 
conversations  matching 
the  searching  criteria 
through  a TCP/IP 
network  directly  on 
their  standard  PC 
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• Multiple  Remote  users  can  connect  across  a TCP/IP  Network  using  a special  Java  based  interface 
that  validates  the  user  rights. 

• Users  can  define  on  the  fly  the  Interception  criteria  and  retrieve/Play  back  the  recorded  audio  CDR 
on  their  local  PCs 

• Retrieved  Audio  CDRs  can  be  saved  as  standard  .Wav  files  as  evidence. 


7.2.LEGAL  INTERCEr  i iui>  JSurNUUxTS 


• Very  high  number  of  El  ports  available  per  shelf:  64.  Cost  and  space  effective. 

• Very  Scalable  solution  based  on  additional  shelves  from  4 to  max  64  ports  each. 

• Signaling  and  Audio  channels  are  processed  locally  at  the  MSC/Switch 

• No  Blocking  factors:  up  to  128  Signaling  links  can  be  fully  monitored  searching  from  the 
interception  criteria  and  up  to  128  audio  channels  can  be  dynamically  recorded  based  on  the 
matching  criteria,  regardless  from  where  they  are  located  on  the  64  El  ports. 

• No  need  to  extend  the  El  circuits  across  a WAN  to  a centralized  location  with  expensive  and 
difficult  to  maintain  solutions  based  on  Concentrators  and/or  PCM  Cross  Connects  and  high  number 
of  dedicated  and  expensive  transport  lines. 

• Remote  users  can  simply  connect  from  virtually  every  PC  or  Workstation  across  a standard  TCP/IP 
network.  (I.e.  non  need  to  deploy  a dedicated  network  and  very  low  bandwidth  requirements  from 
the  TCP/IP  network  due  the  usage  of  intelligent  3Gmaster  probes) 

• Modern  open  architecture  already  implementing  all  the  newer  technologies  (UMTS,  GPRS, 
SIGTRAN,  VoIP,  etc) 


7.3.GSM  MONITORING 

We  consider  three  ways  of  using  the  distant  GSM  to  monitor  the  conversation  or  activity  being  held  at  the 
GSM  location.  One  is  cooperative  (the  GSM  holder  is  aware  that  the  GSM  is  used  as  a remote  microphone) 
and  the  two  others  are  un-cooperative. 

7.3.1. REMOTE  COOPERATIVE  MODIFIED  GSM 

This  GSM  is  a modified  GSM  with  a super  sensitive  microphone  which  allows  capturing  all  conversations  in 
the  room.  It  is  used  with  full  awareness  of  owner  as  a remote  microphone. 
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While  listening  and  transmitting  conversation,  the  GSM  remains  in  an  apparent  “OFF”  mode,  preventing 
suspicion. 

The  GSM  listening  mode  is  activated  remotely  by  authorized  GSM  phone  and  is  stopped  the  same  way. 
Conversation  lasts  as  long  as  battery  is  available. 

Enclose  in  our  proposal  are  3 telephones  of  this  kind. 


7.3.2.REMOTE  UNCOOPERATIVE  MOPTFTEP  GSM 

This  GSM  is  a modified  GSM.  It  is  “offered”  to  its  owner  without  his  (or  her)  awareness  that  it  has  been 
modified.  It  allows  capturing  conversations  within  proximity  of  the  GSM  phone  by  calling  on  a silent  mode 
and  with  password  the  modified  GSM. 

_ i 


The  GSM  listening  mode  is  activated  remotely  by  authorized  GSM  phone  and  using  special  code  so  that  the 
owner  doesn’t  realise  that  is  phone  is  emitting  and  is  stopped  the  same  way. 

Conversation  lasts  as  long  as  battery  is  available. 

It  requires  the  phone  to  be  “on  stand  by”  mode  to  be  triggered  and  will  not  work  if  the  phone  is  off  or  if  the 
battery  is  removed  or  if  the  SIM  card  is  changed. 

Enclose  in  our  proposal  are  3 telephones  of  this  kind. 


7.3.3.REMOTE  UNCOOPERATIVE  UNMODIFIED  GSM 

This  GSM  is  not  a hardware  modified  GSM.  The  objective  of  this  development  programme  is  to  be  able  to 
trigger  phones  of  selected  persons  and  be  able  to  listen  to  their  discussions  using  their  GSM  phone  as  a 
microphone  and  without  their  awareness.  It  will  allow  capturing  conversations  within  proximity  of  the  GSM 
phone  by  calling  on  a silent  mode  though  the  listening  equipment. 
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The  GSM  listening  mode  is  activated  remotely  through  the  equipment  delivered,  which  is  connected  to  the 
GSM  network. 

Conversation  lasts  as  long  as  battery  is  available. 

It  requires  the  phone  to  be  “on  stand  by”  mode  to  be  triggered  and  will  not  work  if  the  phone  is  off  or  if  the 
battery  is  removed  or  if  the  SIM  card  is  changed. 

Development  program  will  be  conducted  locally  in  steps: 

a)  first  step  will  be  utilisation  of  the  system  on  one  specific  model  of  telephone 

b)  second  step  will  be  utilisation  of  the  system  on  one  specific  brand  of  telephone 

c)  last  step  will  be  duplication  of  the  system  on  several  brands 
Enclose  in  our  proposal  is  one  mobile  system. 


7.4.MOBILE  USER  LOCALISATION 


I2E  has  developed  two  complementary  systems  for  the  mobile  user’s  localisation  within  a mobile  network. 


7.5.GSM  / GPRS  / UMTS  SIGNALLING  ANALYSIS 


Our  application  is  composed  by  a non  intrusive  measurement  probe  installed  in  a MSC  center,  a processing 
server  and  a storage  server. 


This  system  is  able  to  analyse  in  real  time,  or  postponed,  more  than  300  signalling  links  per  measurement 
probe.  The  software  processing  allows  getting  real  time  mobile  user’s  localisation,  activity  and  exchanged 
data  (except  voice  speech). 


The  analysis  includes: 


• Prepaid  users,  normal  subscribers  and  roamers 

• Identification  via  IMSI  (individual  or  list),  IMEI  (individual  or  list),  MSISDN/  Phone  number 
(individual  or  list) 


The  data  provided: 


• Mobility  : when  and  where  the  user  has  done  a transaction  in  the  network 

• Activity:  what  type  of  transaction  has  been  done  (LU,  MOC,  MTC,  SMS,  Data,  SMTP,  POP,  FTP, 
WAP,  Visio  ....) 

• Data  transmitted  : What  data  has  been  send  or  received  (MMS,  Voice  over  UMTS,  Download,  e- 
mail,  SMS) 

• A common  use  of  the  network  (localisation)  between  2 or  several  users 
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7.6.PORTABLE  LOCATOR  FOR  GSM  MOBILE  TERMINAL. 


This  product  is  based  on  GSM  base  station  simulation  technology.  It  allows  to  detect  and  to  save  in  a 
database  all  the  GSM  mobiles  that  are  present  in  a user  selectable  area,  for  example  a hotel,  a building  or  an 
airport. 

At  the  setup,  the  system  generates  a coverage  area  which  varies  depending  of  the  transmitted  power  (1  W to 
16  W)  and  the  BTS  proximity.  Then,  all  the  mobile  terminals  that  are  in  this  area  for  15  to  60  seconds 
(depending  of  the  mobile  terminal  type)  are  detected  and  their  International  Mobile  Subscriber  Identity  - 
IMSI-  and  International  Mobile  Equipment  Identity  -IMEI  saved  in  a database. 
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Operator  can  change  the  covered  area  by  regulating  output  power.  If  the  transmit  power  with  1W  is  not 
enough  to  cover  the  area,  it  can  be  connected  to  a frequency  power  amplifier  and  antenna  amplifier. 
Generally,  in  city  the  coverage  area  can  reach  from  10  to  100  meters  and  from  50m  to  2km  in  suburb. 


During  all  the  process,  the  use  of  the  GSM  terminal  is  affected  during  the  2 to  10  first  seconds,  and  this  only 
for  the  incoming  calls.  After  this  period,  the  GSM  mobile  works  normally. 


7.7.PLANNING 

After  approval  for  exportation  (TO  ),  the  delivery  will  be: 

a)  T0+1  month  for  the  remote  cooperant  MODIFIED  GSM 

b)  T0+1  month  for  the  remote  uncooperative  MODIFIED  GSM 

c)  TO+7  months  for  the  remote  uncooperative  UNMODIFIED  GSM 

d)  T0+6  months  for  all  other  items 


Homeland  Security  Program 
Technical  Specification 


25 


20060512TP-HOSP 


Ind. 02 


8.  NETWORK  STREAM  ANAEYSER  1NSA1 
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8.1.GENERAL  PRESENTATION 


Network  Stream  Analyser,  NSA,  is  an  Internet  network  monitoring  equipment. 

It  is  mainly  designed  to  monitor  all  internet  traffic  and  intercept  those  mails  that  may  content  information 
relevant  to  the  Public  Safety  System  Organisation. 

The  whole  system  is  designed  to  be  absolutely  passive,  connected  on  internet  via  the  main  Libyan  ISP  with 
its  approval,  and  without  any  disruption  on  his  installation.  The  System  is  also  undetectable  by  any  Internet 
Users. 


The  system  will  be  connected  on  the  1 Gbit/s  Ethernet  connection  between  the  switch  CISCO  catalyst  6000 
and  the  main  router  which  is  a CISCO  serie  7500  (to  be  upgraded  in  the  next  months)  thanks  to  an  optical  tap 
from  the  company  Netoptics  (see  attached  document,  annex  #A),  allowing  no  disrupt  of  traffic  in  case  of 
default,  the  traffic  will  continue  even  if  our  equipment  is  not  working. 

The  first  step  of  our  system  is  to  go  through  a very  powerful  PROBE  which  is  able  to  process  a 1 Gbit/s  flow 
in  real  time  (real  time  on  the  whole  1 Gbit/s),  this  probe  is  composed  of  plug-in  modules,  each  module  being 
able  to  process  200Mbit/s  of  datas,  Those  modules  are  easily  replaceable  and  are  hot  plug  (plug  and  play). 

This  probe  has  a special  software  which  is  doing  discrimination  of  the  internet  flow  in  different  categories: 
mail  (including  webmail,  instant  messaging,  etc.)  , HTTP,  VoiP,  business  type  (VPN,  citrix,  etc.),  video,  etc. 
The  recognition  is  done  through  this  special  software  (CAPI-FC)  which  can  recognize  up  to  250  of  the  most 
used  protocols,  those  ones  are  recognised  thanks  to  unique  software  whose  recognition  is  based  on  key  word 
and  syntax  within  the  protocol.  Then  the  internet  flow  is  sent  to  a big  DATA  BASE  in  as  many  files  as  main 
topics,  that  means  that  there  will  be  a file  for  all  the  mail  types,  another  one  for  VoIP,  etc. 

The  transfers  of  the  datas  will  be  done  through  an  optical  fiber,  so  we  will  be  able  to  locate  the  data  base  in 
the  monitoring  center  for  security  reason,  the  only  equipment  located  in  the  ISP  will  be  the  probe  and  the 
data  base  server,  the  data  base  disks  will  be  in  the  monitoring  center. 

This  software  can  be  up  graded  easily  as  every  protocols  recognition  is  done  through  “plug  in”  software 
modules  and  another  new  module  can  be  added  very  easily.  Right  now,  we  can  guarantee  more  than  70% 
recognition  of  the  internet  flow. 


We  will  assist  the  customer  in  adding  new  protocols  recognition  to  achieve  this  goal  of  70%  by  adding  new 
protocol  plug  in  if  necessary  with  a target  of  90%  recognition. 


H000 
0B00- 
□ H H □ 


CAPI-FC 

engine 


Plugin 


Plugin 


Plugin 


State 

Information 


The  created  files  will  then  be  stored  in  a very  big  data  base  server  of  12To,  which  will  give  you  the  available 
amount  of  space  to  store  up  to  more  than  50  days  according  to  the  relevant  information  of  LTT,  based  on  the 
today’s  traffic  (60%  average  load  on  the  STM1  optical  link). 


At  the  same  time,  the  powerful  probe  is  taking  a number  of  information  called  “attributes”  for  all  the 
recognized  protocols,  the  software  doing  that  is  call  CAPI-FM  , like  Flow  Monitor.  For  each  protocol,  we 
will  have  several  attributes,  for  example: 


- SMTP:  sender,  receiver,  subject,  keyword,  attachment  type,  . . . 


- GTP  (mobile  tunneling)  L2TP  (fixed  network  tunneling)  : IMSI,  MSISDN,  called  ID,  etc. . . 


- WSP  (wap):  Agent,  . . . 
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- HTTP:  server,  URI,  agent,  .... 

- Radius:  user,  IP  address,  . . . 

- Webmail:  user,  IP,  subject,  keyword,. . . 

It  is  very  important  to  realise  that  all  those  attributes  will  be  given  in  real  time  for  all  traffic  (real  time  means 
seconds  and  not  minutes!). 

Those  attributes  create  a “CDR”,  like  Call  Data  Records  which  is  going  to  be  stored  in  the  same  data  base  as 
the  complete  flow.  The  data  base  is  hence  separated  in  two  smaller  data  base,  one  being  the  CDR  data  base 
with  all  the  attributes  associated  with  every  protocols  and  another  database  with  the  complete  traffic. 

The  filtering  will  be  done  based  on  those  attributes,  and  then  if  necessary  the  complete  data  exchange  will  be 
reconstitute  (in  differed  time  obviously)  like  complete  email  including  attached  files,  VoIP  session,  chat  , 
etc... 


Main  international  trafic 
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It  is  very  important  to  notice  that  all  the  traffic  exchange  will  generate  CDR  with  “attributes”  and  that  all  those  CDR 
will  be  stored  in  the  data  base  in  real  time.  The  datas  are  not  filtered  but  stored  in  totality,  they  are  stored  including  their 
attributes  and  then  it  will  be  possible  to  reconstitute  the  complete  flows  and  information  exchange  through  filtering  or 
targeting. 
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8.2.  THE  PROBE 
8.2.1. THE  UNIT 


The  probe  is  designed  to  handle  traffic  of  1 Gbit/s  full  duplex,  it  is  constituted  of  5 plug  in  modules  being  able  to  handle 
200Mbit/s  full  duplex.  Those  plug  in  are  hot  swappable  and  can  be  removed  and  reinstall  with  out  stopping  data 
acquisition. 


Those  probes  can  be  added  in  different  places  to  handle  more  points  of  interception,  they  don’t  need  to  be  cascaded, 
then  agglomerate  traffic  of  several  Gbit/s  can  be  done,  the  datas  will  be  then  stored  in  the  same  data  base.  In  conclusion 
through  this  solution,  the  proposal  can  be  expandable  to  1 OGbit/s  of  intercepted  traffic,  all  the  probes  being  placed  on 
1 Gbit/s  interface  and  then  all  the  datas  will  feed  the  same  data  base. 


8.2.2.QPTTON  : ANOTHER  1 GBit/s  LINK  TO  BE  MONITORED 


Example  of  future  evolution  of  the  system  with  another  point  of  interception  monitoring  another  1 Gbit/s  interface: 


LTT  Monitoring  point 
With  1 Gbit/s  interface  point 


Another  lGBit/sMonitoring 
point 


DATABASE 

server 


This  option  is  INCLUDED  in  our  offer. 
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8.3.THE  DATABASE 
8.3.1  .PRESENTATION 

The  state  of  the  art  data  base  server  which  is  going  to  host  the  data  will  have  a 12To  disk  capacity,  organized  in  RAID  5 
to  secure  the  data,  this  server  will  be  a versatile  server  with  hot  plug  removable  hard  disk  of  at  least  300Go  with  Fiber 
channel  SCSI  interface  (depending  of  technology  evolution  at  the  PO  order). 

The  server  will  be  located  in  the  ISP  premises  and  the  disk  array  in  the  monitoring  center  for  security  reason.  The  link 
between  the  two  will  be  done  through  a 4GB it/s  fiber  channel  solution  with  a maximum  length  of  10km  (for  the 
proposal  we  have  taken  for  granted  that  the  optical  fiber  is  already  installed). 


The 

The 

rate 


proposed  solut 
solution  will  h« 

and  will  share  the  same  storage  management  system. 


it  will  depends  of  PO  timing), 
connection  !)  to  handle  the  data 


The  fiber  channel  technology  will  be  used  in  the  main  server  and  through  all  the  rack  extension,  this  data  base  will  be 
installed  with  12To  of  disk  capacity  and  could  be  up  graded  up  to  34To  if  necessary. 


The  disk  will  be  FIBER  CHANNEL  SCSI  type,  300Go  each  and  running  at  15000  r/m,  the  RAID  controller 
will  be  fully  redundant  and  the  server  will  be  highly  secure. 

The  main  server  will  handle  16  disks  and  will  be  able  to  be  connected  up  to  6 expansion  units  (EXP  810), 
each  of  those  units  being  able  to  handle  also  16  disks. 

The  total  capacity  of  the  system  for  future  evolution  will  be  34To. 


The  connections  towards  the 
internal  redundant  connections 

Each  RAID  Controller  will  have 

Intel 


XP  S10 


a 


servers  are  4GB it/s  Fiber  channel  type  as  the 
with  the  disks. 

the  minimum  specifications: 
xScale  667  MHertz  processor, 


1 Go  memory  ECC  (Error  Correction  Code)  SDRAM  cache 
128  Mo  flash  memory, 


RS-232  port  (DB-9  connector), 


2 Ethernet  ports  10/100  (RJ-45  connector). 


2 FC  4 Gbit/s  ports  for  servers  connectivity 
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2 FC  4 Gbit/s  ports  for  expansion  racks 


The  total  cache  memory  of  the  system  will  be  2Go  (IGo  per  controller).  In  case  of  power  supply  problem, 
the  cache  memory  will  be  protected  for  at  least  3 days  (one  battery  per  controller). 

The  server  will  be  connected  through  the  Fiber  Channel  connection  at  4GB it/s  and  through  a SAN  switch 
(FC-S),  a “long  wave”  multimode  optical  fiber  50  pm  should  be  installed  between  the  server  and  the  disk 
array  allowing  a distance  of  10km  between  the  two. 

The  optical  fiber  link  between  the  controllers  and  the  disk  arrays  are  doubled  for  redundancy 
reason. 


DATA  BASE 
server 


2 redundant  paths 


FIBER  CHANNEL  up 
to  10km 


fl 


DISK  ARRAY  12To 

Main  unit  with 
expansion  unit 

Up  gradable  up  to 
34To 


The  specifications  of  the  data  base  server  are  the  following  (minimum): 

- AMD  Opteron  2220  SE  Dual  Core  2x2.8  GHz/800  MHz,  2MB  L2,  4x512 
MB,  Open  Bay,  650W  p/s 

- 2 GB  (2x1GB  Kit)  PC5300  667  MHz  ECC  DDR  SDRAM  RDIMM 

- Hard  disk,  73  GB  15K  rpm  3.5"  Simple-Swap  SAS  HDD 
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8.3.2.QPTION  : REPLICATION  OF  DATA  RASE  IN  A SECOND  LOCATION 


To  be  able  to  secure  the  data  base,  we  can  as  an  option  add  a second  data  base,  which  is  an  exact 
duplication  of  the  first  one  in  a different  location  : 


DATABASE 

server 


2 redundant  paths 


FIBER  CHANNEL  up 
to  10km 


DISK  ARRAY  12To 

Main  unit  with 
expansion  unit 

Up  gradable  up  to 
34To 


2 redundant  paths 


F V 1 1 I 1 1 ' I 1 L ,1 LI  1 1 

to  10km 


— 

DISK  ARRAY  12To 

Main  unit  with 
expansion  unit 

Up  gradable  up  to 
34To 


II 


This  option  is  quoted  in  the  financial  proposal. 
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8.4.THE  MONITORING  CENTER  AND  FILTERING 


8.4.1  .FIRST  STEP:  THE  CDR  DATA  BASE 


The  monitoring  center  will  be  connected  to  the  data  base  through  a LAN.  In  the  proposal,  we  have 
included  10  PC  to  send  queries  to  the  MySQL  data  base.  The  system  will  be  organized  in  two 
operating  modes  : 


1 . The  CDR  constitution  in  real  time 

2.  The  reconstitution  of  all  communications  and/or  data  exchanges  from  the  complete  and  total 
monitored  flow. 


It  will  be  possible  to  send  queries  to  the  CDR  data  base. 

Those  queries  will  allow  the  visualization  of  extracted  information  from  the  data  base  (CDR),  the 
reconstitution  of  the  different  applications  or  communications  will  be  then  done  if  necessary  (don’t 
forget  that  we  store  the  complete  and  total  flow). 
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For  example,  here  is  a CDR  view  of  e-mail  communication  with  selected  attributes  (not  all): 


index 

A.smtp.*:sender  not  null 

A.smtp.*: receiver  not  null 

A.smtp*: subject  not  null 

A.smtp.*:mime_type  notn... 

way 

1 

Kim.Thai@lip6.fr 

fourmaux@l2ti.univ-paris1 3.fr 

RE  : RE  : module  reseaux  d... 

text/plain 

incoming 

2 

Laetitia.Jacquey@lip6.fr 

Guy.Pujolle@lip6.fr 

planning 

application/ynd.ms-excel 

incoming 

3 

bruno.talavera@rp.lip6.fr 

eric.horlait@lip6.fr 

Correction  Exchange 

text/plain 

incoming 

4 

nadjib.achir@lip6.fr 

idir.fodil@proxy.6wind.com 

RE:  Monica 

text/plain 

incoming 

5 

nadjib.achir@lip6.fr 

khene@rp.lip6.fr 

RE:  Monica 

text/plain 

incoming 

6 

nadjib.achir@lip6.fr 

khene@rp.lip6.fr 

TR:  Monica 

application/Vnd.ms-powerp... 

incoming 

7 

promethee.spathis@lip6.fr 

Fonseca@rp.lip6.fr 

http://amarrage.enst.fr:8080... 

text/html 

incoming 

8 

salamat@rp.lip6.fr 

Nina@sprintlabs.com 

RE:  Questions 

application/pdf 

incoming 

9 

salamat@rp.lip6.fr 

Nina@sprintlabs.com 

RE:  Questions 

text/plain 

incoming 

10 

salamat@rp.lip6.fr 

anucci@sprintlabs.com 

RE:  Questions 

text/plain 

incoming 

11 

salamat@rp.lip6.fr 

augustin.soule@lip6.fr 

RE:  Questions 

text/plain 

incoming 

12 

vincent.m.gauthier@free.fr 

r_ramahandry@yahoo.fr 

Re:  coucou  de  bordeaux 

text/plain 

incoming 

13 

youcef.khene@lip6.fr 

khene@rp.lip6.fr 

Re:  Monica 

text/plain 

incoming 

14 

ziviani@rp.lip6.fr 

said@anp.lip6.fr 

adresse  universite  Mauro 

text/plain 

incoming 

15 

Kim.Thai@lip6.fr 

fourmaux@l2ti.univ-paris1 3.fr 

RE  : RE  : module  reseaux  d... 

text/plain 

outgoing 

16 

Laetitia.Jacquey@lip6.fr 

Guy.Pujolle@lip6.fr 

planning 

application/ynd.ms-excel 

outgoing 

17 

bruno.talavera@rp.lip6.fr 

eric.horlait@lip6.fr 

Correction  Exchange 

text/plain 

outgoing 

18 

nadjib.achir@lip6.fr 

idir.fodil@proxy.6wind.com 

RE:  Monica 

text/plain 

outgoing 

19 

nadjib.achir@lip6.fr 

khene@rp.lip6.fr 

RE:  Monica 

text/plain 

outgoing 

20 

nadjib.achir@lip6.fr 

khene@rp.lip6.fr 

TR:  Monica 

application/ynd.ms-powerp... 

outgoing 

21 

promethee.spathis@lip6.fr 

Fonseca@rp.lip6.fr 

http://amarrage.enst.fr:8080... 

text/html 

outgoing 

22 

salamat@rp.lip6.fr 

Nina@sprintlabs.com 

RE:  Questions 

application/pdf 

outgoing 

23 

salamat@rp.lip6.fr 

anucci@sprintlabs.com 

RE:  Questions 

textfplain 

outgoing 

24 

salamat@rp.lip6.fr 

augustin.soule@lip6.fr 

RE:  Questions 

text/plain 

outgoing 

25 

vincent.m.gauthier@free.fr 

r_ramahandry@yahoo.fr 

Re:  coucou  de  bordeaux 

text/plain 

outgoing 

26 

youcef.khene@lip6.fr 

khene@rp.lip6.fr 

Re:  Monica 

text/plain 

outgoing 

If  necessary,  it  will  be  possible  to  reconstitute  the  second  complete  email  including  the  excel 
spreadsheet  if  this  e-mail  address  is  of  interest. 

We  can  add  and  “filter”  in  this  view  other  attributes  like  keyword  warnings,  domain  names,  etc. . . 

Meaning  that  if  we  want  to  have  all  the  email  exchange  with  the  word  “france”  inside,  the  above 
view  will  have  another  column  called  keyword  warning  with  the  word  “france”  signifying  that  this 
word  is  either  in  the  email  subject  or  in  the  text. 

At  this  stage,  if  you  are  interested  in  the  mail,  the  mail  will  be  reconstituted  with  its  attached 
documents. 


Here  is  another  CDR  view  of  e-mail  communication  with  a specific  targeted  email  sender: 


index 

A.smtp.*:sender  not  null 

A.smtp.*:  receiver  not  null 

A.smtp.*:subject  not  null 

A.smtp.*:mime_type  notn... 

way 

1 

salamat@rp.lip6.fr 

Nina@sprintlabs.com 

RE:  Questions 

application/pdf 

incoming 

2 

salamat@rp.lip6.fr 

Nina@sprintlabs.com 

RE:  Questions 

text/plain 

incoming 

3 

salamat@rp.lip6.fr 

anucci@sprintlabs.com 

RE:  Questions 

text/plain 

incoming 

4 

salamat@rp.lip6.fr 

augustin.soule@lip6.fr 

RE:  Questions 

text/plain 

incoming 

5 

salamat@rp.lip6.fr 

Nina@sprintlabs.com 

RE:  Questions 

application/pdf 

outgoing 

6 

salamat@rp.lip6.fr 

anucci@sprintlabs.com 

RE:  Questions 

text/plain 

outgoing 

7 

salamat@rp.lip6.fr 

augustin.soule@lip6.fr 

RE:  Questions 

text/plain 

outgoing 

Here  is  another  CDR  view  of  mail  communication  through  MSN  messenger  instant  messaging,  if 
one  communication  is  interesting,  then  the  complete  communication  could  be  reconstituted  from  the 
complete  flow  database: 
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index 

base.*:application  not  null 

A.msn.*:login  not  null 

A.ip*:client_addr  not  null 

way 

1 

msn 

gueyebamba@hotmail.com 

132.227.61.159 

incoming 

2 

msn 

jocelyne_elias@hotmail.com 

132.227.61.39 

incoming 

3 

msn 

samir_g_d@hotmail.com 

132.227.61.78 

incoming 

Here  is  another  CDR  view  of  all  web  surfing  activity  of  one  user: 


index 

A.ip  *:client_addr  not  null 

A. http.*: server  not  null 

A.http.*:uri  not  null 

way 

1 

132.227.61.1 

forums.famili.fr 

/adm/familismall.gif 

incoming 

2 

132.227.61.1 

forums.famili.fr 

/for.html 

incoming 

3 

132.227.61.1 

forums.famili.fr 

/forum.js 

incoming 

4 

132.227.61.1 

forums.famili.fr 

/forum/disc/1 01 5399824 

incoming 

5 

132.227.61.1 

forums.famili.fr 

/forum/groupe 

incoming 

6 

132.227.61.1 

forums.famili.fr 

/forum/inter/1015399823 

incoming 

7 

132.227.61.1 

forums.famili.fr 

/forum/sujet/9651 24405 

incoming 

8 

132.227.61.1 

forums.famili.fr 

/future_maman/recherche_preno... 

incoming 

9 

132.227.61.1 

forums.famili.fr 

/image/forum/ballcblue.gif 

incoming 

10 

132.227.61.1 

forums.famili.fr 

/image/forum/ballgreen.gif 

incoming 

11 

132.227.61.1 

forums.famili.fr 

/image/forum/blue,  gif 

incoming 

12 

132.227.61.1 

forums.famili.fr 

/image/forum/fond. gif 

incoming 

13 

132.227.61.1 

forums.famili.fr 

/image/forum/Visu.jpg 

incoming 

14 

132.227.61.1 

forums.famili.fr 

/image/pixtrans.gif 

incoming 

15 

132.227.61.1 

forums.famili.fr 

/image/popup_forum.html 

incoming 

16 

132.227.61.1 

prof.estat.com 

/js/mr.js 

incoming 

17 

132.227.61.1 

prof.estat.com 

/m/web/21  701  765570?n=770461  8... 

incoming 

18 

132.227.61.1 

www.famili.fr 

/cgi-bin/pub.cgi?type=js&pool=foru... 

incoming 

19 

132.227.61.1 

www.famili.fr 

/image/banniere_guigoz.gif 

incoming 

20 

132.227.61.1 

www.google.fr 

/ 

incoming 

21 

132.227.61.1 

www.google.fr 

/search?q=prA©noms  filles&ie=U... 

incoming 

22 

132.227.61.1 

www.hellobebe.com 

/9mois1  jpg 

incoming 

23 

132.227.61.1 

www.hellobebe.com 

/Gf.jpg 

incoming 

24 

132.227.61.1 

www.hellobebe.com 

/animate.js 

incoming 

25 

132.227.61.1 

www.hellobebe.com 

/comml  .jpg 

incoming 

26 

132.227.61.1 

www.hellobebe.com 

/dldl.jpg 

incoming 

27 

132.227.61.1 

www.hellobebe.com 

/ecrl  .jpg 

incoming 

28 

132.227.61.1 

www.hellobebe.com 

/fa.htm 

incoming 
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Here  is  another  CDR  view  of  all  Google  queries  for  any  users  (this  could  be  done  also  for  other 
search  engine  and/or  for  selected  users  or  IP  address,  etc.): 


index 

base.*:application  not  null 

A.google.*:query  not  null 

A.ip.*:client_addr  not  null 

way 

1 

google 

s khan  the  utility  model  for  adaptat... 

132.227.61.108 

incoming 

2 

google 

"Lettre  de  motivation"  "emploi" 

132.227.61.39 

incoming 

3 

google 

"opendx"  tetrahedra 

132.227.61.81 

incoming 

4 

google 

"the  utility  model  for  adaptative  mul... 

132.227.61.108 

incoming 

5 

google 

Infradio 

132.227.72.3 

incoming 

6 

google 

Lettre  de  motivation  pour  un  emploi 

132.227.61.39 

incoming 

7 

google 

charbit 

132.227.61.52 

incoming 

8 

google 

dany  zebiane 

132.227.61.99 

incoming 

9 

google 

dany  zebianz 

132.227.61.99 

incoming 

10 

google 

disparity©  de  l'uAA"tre 

132.227.61.52 

incoming 

11 

google 

disparity©  de  I'urA  tre 

132.227.61.52 

incoming 

12 

google 

el  watan 

132.227.61.66 

incoming 

13 

google 

el  waten 

132.227.61.66 

incoming 

14 

google 

end  to  end  sla  businesses  negoti... 

132.227.61.108 

incoming 

15 

google 

end  to  end  sla  pricing  negotiation 

132.227.61.108 

incoming 

16 

google 

farid  benbadis 

132.227.61.156 

incoming 

17 

google 

iis  ssl  activation 

132.227.61.53 

incoming 

18 

google 

iis  ssl  grise 

132.227.61.53 

incoming 

19 

google 

iis  ssl  service  windows 

132.227.61.53 

incoming 

20 

google 

lorta-jacob 

132.227.61.52 

incoming 

21 

google 

lortat-jacob 

132.227.61.52 

incoming 

22 

google 

lortat-jacob  urologie 

132.227.61.52 

incoming 

23 

google 

marina  charbit 

132.227.61.52 

incoming 

24 

google 

martine  meunier 

132.227.61.52 

incoming 

25 

google 

meunier  mastologie 

132.227.61.52 

incoming 

26 

google 

michele  constantien 

132.227.61.52 

incoming 

27 

google 

negotiation  SLA 

132.227.61.108 

incoming 

28 

google 

negotiation  SLAbaisnis 

132.227.61.108 

incoming 

29 

google 

negotiation  SLAbisnis 

132.227.61.108 

incoming 

30 

google 

negotiation  SLA  pricing 

132.227.61.108 

incoming 

Here  is  another  CDR  view  of  all  VoIP  communications  with  caller  and  calee  information,  if  of 
interest , the  communication  could  be  reconstituted: 


index 

A.sip.*:caller  not  null 

A.sip.*:callee  not  null 

way 

1 

1 41 877440  @6  2.244.88.1 28 

331 762601 41  @10.1 2.4.1 2 

incoming 

2 

331 762601 27@1 0.1 0.3.58 

0031203572506@qosmosip.option-service.com 

incoming 

3 

331 762601 41  @10.1 2.4.1 2 

003491 21 02000@qosmosip.option-service.com 

incoming 

4 

331 762601 41  @10.1 2.4.1 2 

01 41 877440@qosmosip.option-service.com 

incoming 

♦ 


20060512TP-HOSP 
Ind. 02 


Homeland  Security  Program 
Technical  Specification 


36 


i2e 


8.4.2.SFCOND  STEP:  FLOW  RECONSTITUTION 

Once  we  have  selected  or  recognised  any  information  of  interest  thanks  to  the  CDR  database,  all 
information  stored  in  the  main  data  base  can  be  reconstituted  with  the  exception  of  storage 
limitation  of  course  (we  remind  you  that  we  have  in  storage  several  days  of  the  complete  flow!). 

Those  reconstitutions  called  transcoding  modules  are  organised  by  application  type.  All  the  kind  of 
emailing  applications,  attached  documents,  VoIP  type  of  communication  can  be  reconstructed. 

Email  type  transcoding  modules  include: 


SMTP, 

POP3, 

IMap 


and  webmail  (the  most  and  common  used,  google,  yahoo,  etc.) 


Attached  files  to  the  communication  exchanges: 


.doc,  .txt,  .xls,  .csv,  .pdf,  .ppt,  etc. 

.gif,  .jpeg,  .bmp,  .mpeg,  .avi,  .tif,  .wav,  etc. 


The  most  and  common  used  VoIP  and  Chat  type: 


- Standardised  ones  (H323,  SIP,  MGCP, .) 

Proprietary  ones  (msn,  yahoo,  paltalk,  bctocall,  bctophone,etc.) 


Once  the  user  has  decided  to  recreate  the  file  of  interest,  this  file  will  be  available  for  editing, 
printing  or  storing. 

All  the  reconstructed  files  will  be  available  for  keyword  searching  in  the  document. 


♦ 
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8.4.3.FXAMPFF  OF  OPERATION  AT,  MODE  (NOT  LIMITED  TOl 

Thanks  to  the  of  the  system  organization,  different  types  of  operational  modes  can  be  used: 

♦ Specific  keyword  based  monitoring 

■ In  all  emails  send  or  received  (in  subject  or  in  the  text) 

■ In  all  types  of  attachment  (txt,  xls  , csv  ,pdf, ..)  once  the  flow  is  reconstituted  and  on 
a specific  target 

■ Web  site  browsed  (URL  query) 

■ Chat  message  (inside  the  text) 

♦ Email  ID  based  monitoring 

■ Capture  of  all  email  and  attachment 

■ Search  for  keyword  within  all  captured  mails  and  attachments  (in  differed  time  for 
attached  document) 

■ Track  ISP’s  user  IDs  used  when  communicating  with  emails  IDs 

■ Store  mail  IDs  of  his  communications  ( i.e.  mails  sent  or  received  from  others) 

♦ Chat  ID  based  monitoring 

■ Capture  all  chat  IDs. 

■ Search  for  keyword  within  the  captured  traffic 

■ List  of  other  chat  ID  referred  in  the  chat  conversation 

■ Get  user  ID,  phone  number  and  IP  address  (phone  if  available  on  the  flow  with  the 


♦ IP  address  based  monitoring 

■ Capture  all  traffic  from  and  to  IP  address 

■ Segregate  traffic  into  mails,  chat,  etc.  for  differed  display 

■ Search  for  keyword  within  the  traffic 

■ Track  all  IP  addresses  accessing  it 

■ Track  the  telephone  number  of  the  users  (if  available  in  the  flow  with  the 


♦ ISP  account  id  based  monitoring 

■ Display  telephone  numbers  used  for  logging  into  the  Net  (if  available  in  the  flow 
with  the  cooperation  of  the  fixed  line  operator) 

■ Display  the  time  in  which  logging  happened  using  that  user  ID 

■ Track  all  traffic  from  and  to  the  user  ID 

■ Break  down  the  traffic  to  chat,  email,  etc.  for  differed  display 

■ Search  for  keyword  within  the  captured  traffic 

♦ Telephone  number  based  monitoring  (if  available  in  the  traffic  with  the  cooperation  of 
the  fixed  line  operator) 

■ On  telephony  number: 


cooperation  of  the  fixed  line  operator) 


cooperation  of  the  fixed  line  operator) 
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■ Display  the  ISP  user  ID  used  to  login  into  the  net 

■ Display  the  time  in  which  logging  happened  using  that  telephone  number 

■ Break  down  the  traffic  to  chat,  email,  etc.  for  display 

■ Search  for  keyword  within  the  captured  traffic 

♦ Geography  (city/country)  based  monitoring  (once  mapping  has  been  done  with  your 
organisation) 

■ On  city,  country,  tracks  all  communication  flowing  to  and  from  that  region.  It  includes 
email,  chat,  website  browsing  and  voice  calls 

■ An  graphical  interface  will  be  proposed  with  the  Libyans  map  to  locate  easily  the  target 


8.4.4.PERFORMANCES 

♦ Number  of  concurrent  keywords/  targets  supported 

o 5000  simultaneously  minimum 

♦ Delivery  of  captured  record 

o Remotely  delivery  over  secure  channel  to  desktop  computer  with  client  software 
o 10  desktop  computers  per  monitoring  center  have  access  to  the  main  data  base  (this  number 
can  be  up  graded  up  to  10  without  any  problem) 
o Each  PC  will  be  a 3 GHz,  4Go  RAM,  70Go  hard  disk  with  a 19”  LCD  flat  panel  screen  and 
will  be  equipped  with  our  cryptotunnel  solution  for  highly  secured  transmission  and 
connection  to  the  disk  array,  that  means  that  each  user  will  have  his  personal  USB  SIM  key 
with  his  personal  password  (limited  to  3 attempts).  The  exchange  of  datas  between  each  pc 
and  the  data  base  will  be  encrypted  with  our  ECC  algorithm  based  solution, 
o Each  user  can  be  limited  to  one  application,  i.e.  email,  or  web  traffic,  etc. 
o We  will  give  to  the  main  authority  a master  key  for  recovering  all  datas  and  generating  new 
keys  if  necessary. 

♦ Value  added  feature 

o Capture  and  record  most  of  the  voice  over  Internet 

o Find  geographic  location  of  intercepted  messages  on  an  easy  graphical  user  interface, 
o Instant  alert  generated  for  key  messages  by  flag  in  the  software  or  emailing  to  dedicated 
users. 

o Accumulate  user  names  and  passwords  and  other  datas  flowing  in  clear  text  over  Internet 
o Build  up  database  of  ISP  account  and  various  telephone  numbers  used  by  that  account  over 
period  of  time 
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8.4.5.SECIJRITY 

♦ Security  features 

o All  communications  to  the  system  are  encrypted  (ECC  based) 
o Remote  access  to  system  is  through  access  control  device, 
o System  is  invisible  from  Internet  with  no  valid  IP  address 
o Strong  authentification  and  authorization  feature  at  operator  level 

♦ Administration  features 

o All  administration  activities  can  be  conducted  remotely 

o Administration  options  include  adding,  deleting  and  modifying  operation  profiles,  stopping, 
starting  system,  cleaning  up  database  and  backup  of  data 
o A log  file  is  created  and  can  be  review  to  track  users  activities. 


8.4.6.QPTION  : A SECOND  AND  THIRD  MONITORING  CENTERS 


To  be  able  for  two  organisations,  in  two  different  locations  to  work  on  the  recorded  or  real  time  traffic,  we 
are  proposing  a second  monitoring  center  (still  with  10  users)  located  in  a different  place  (for  example  the 
second  place  where  the  duplicated  data  base  will  be  installed  if  you  are  taking  the  option). 

A remote  access  will  be  provided  for  VIP  users.  0 . , 

r Secured  VPN  with  elliptical  curve 

algorithm 
site  A 


Secured  VPN  with  elliptical  curve 
algorithm 

site  C 


Secured  VPN  with  elliptical 
algorithm 

site  B 


curve 


FIBER  CHANNEL 
up  to  10km 


VIP  remote  laptop  (secured  connection  with  USB 

A second  and  third  monitoring  c SIM  card  and  ECC  cryptography)  rating  consoles  for  10  users, 

those  users  are  connected  to  the  5N  (based  on  our  elliptical 

curve  technology  algorithm  for r Jsr^^^sr y. 


This  second  and  third  monitoring  center  is  included  in  our  financial  proposal. 


8.5.BLOCKING  AND  FILTERING  WEB  NAVIGATION 
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Thanks  to  the  NS  A,  the  system  can  point  out  some  dangerous  communication  and  some  unwanted  URL  or 
URI,  we  will  install  a SECURE  COMPUTING  solution  which  will  allow  URL/URI  filtering. 

8.5.1  .Performance,  scalability,  and  reliability 

Our  solution  has  been  engineered  to  provide  the  performance  you  need  for  gigabit  traffic  loads  today  and 
with  expandability  and  scalability  built  in  for  tomorrow. 

Appliance  performance 

* 3+  Gbps  stateful  inspection  throughput 

* Unparalleled  2.2  Gbps  of  application  layer  throughput 

* 15,000  connections  accepted  per  second 

* Up  to  1 ,000,000+  total  simultaneous  connections 

* "Tunable"  firewall  balances  performance  against  security  requirements 
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Scalability 

Scalability  is  achieved  by  adding  if  necessary  appropriate  appliance  models  that  come  with  single,  dual  or 
quad  processors.  Active/active  high  availability  is  also  an  included  feature. 

• Multiple  Xeon  processors  at  up  to  3.4GHz  and  above 

• Up  to  800  MHz  front  side  bus 

• Up  to  2 GB  RAM 

• Gigabit  network  interfaces 

• Up  to  7 I/O  slots  for  network  interface  or  peripheral  expandability 

Reliability 

All  the  Security  Appliance  provide  fully  integrated  or  optional  reliability  features,  notably: 

• Integrated  stateful,  active/active  high  availability  protection  that  supports  a pair  of  firewalls.  No 
third-party  products  are  required. 

• Multiple  power  supplies 

• RAID  hard  drive  configurations 

• DDR  memory 

• Health  monitoring  of  the  entire  appliance  system 

Clustering  and  load  balancing 

By  clustering  multiple  Appliance  in  a rack,  sites  can  achieve  unlimited  scalability  and  throughput. 

Clustering  your  appliances  allows  you  to  achieve  multiple  Gigabit  throughput  performance  and  be  assured  of 
seamless  load  balancing  and  high  availability. 

8.5.2  INSTALLATION  AND  MANAGEMENT 


URL  and  URI  filtering  and 
redirection  solution 


MAIN  ROUTER 


MAIN  SWITCH 
CISCO  CATALYST 


The  appliance/firewall  will  be  connected  and  managed  from  one  or  two  or  the  three  monitoring  centers,  this 
solution  of  filtering  will  have  an  independent  graphical  user  interface  and  will  just  act  as  a filtering  and 
redirection  device.  The  black  list  and/or  white  list  will  be  generated  by  the  customer. 

The  black  list  will  be  dynamically  and  constantly  renewed  and  updated  by  the  customer. 


8.6.FINAL  AND  COMPLETE  DIAGRAM 
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8.7. TRAINING,  TROUBLE  SHOOTING  AND  MAINTENANCE 

The  training  will  be  composed  of  2 main  topics: 

Training  of  high  level  for  administrator 
Training  for  users 

The  training  for  high  level  people  (administrators)  will  last  2 weeks  and  will  allow  the  people  to  train 
themselves  the  final  users  if  necessary,  it  will  be  limited  to  3 persons.  The  training  will  include: 

Training  and  learning  of  the  complete  infrastructure  including  software  and 
hardware 

How  to  maintain  equipments  and  software 
Troubleshooting 

For  users,  the  training  will  be  more  oriented  towards  use,  configuration  and  first  level  maintenance  of  the 
equipment.  It  will  last  2 weeks  also  and  will  include  class  of  10  people  (if  necessary  we  will  train  20  people 
in  2 sessions). 

Once  troubleshooting  is  done,  the  first  level  maintenance  will  be  taken  care  by  a lot  of  spare  part  which  will 
delivered  at  the  same  time  of  the  system.  This  spare  part  lot  will  include:  hard  disks,  raid  controller,  power 
supplies,  screen,  motherboards,  and  probe  plug-ins. 

A period  of  2 month  is  included  in  the  proposal  for  3 customer  engineers  to  be  in  our  premises  in  Paris  to 
assist  and  help  to  the  Arabisation  and  customization  of  the  system.  Moreover  these  2 persons  will  be  part  of 
the  development  to  assimilate  the  different  technologies  and  get  the  maximum  of  technology  transfer  from 
i2e  Group. 

Finally  as  scheduled,  two  i2e  engineers  will  be  installed  in  Tripoli  for  the  6 first  months  to  help  the  customer 
in  any  matter. 

8.8. PLANNING 

After  approval  for  exportation,  the  delivery  will  be  within  7 months  for  the  system. 


Monitoring  center 
SITE  3 10 


users 


Homeland  Security  Program 
Technical  Specification 


44 


20060512TP-HOSP 


Ind.  02 


9.  VTP  CONVOY  PROTECTION 

9.1.IDENTIFICATION  OF  SECURITY  PROBLEM 

For  the  past  years,  terrorists  or  unofficial  threat  organisations  lead  a lot  of  bombing  attempts  against  VIP 
Convoy  using  radio  remote  explosives.  The  important  things  to  know  are  that  a lot  of  radio  communications 
devices  including  mobile  phones  are  not  used  in  their  primary  utilisation  but  used  to  trigger  explosives  from 
a remote  and  safe  area.  The  recent  dramatic  news  shows  that  it  is  very  easy  for  indelicate  persons  to  access 
these  devices  mainly  available  on  the  unofficial  market. 

9.2.0UR  PROPOSED  SOLUTION 

9.2.1. Jamming  System 

Our  unique  Mobile  Jamming  systems  are  made  of  advanced  radio  transmitters  especially  designed  to 
block  radio-communication  receivers  in  HF,  VHF  or  UHF  Bands  (therefore  including  GSM,  GPRS 
or  equivalent)  in  an  area  of  about  100m  around  the  mobile  Jamming  Car. 


The  systems  creates  all  around  the  vehicle  a high  power  radio-electrical  shield  that  allows  to  saturate 
all  radio  frequencies  in  a 100m  radius,  while  preserving  the  health  of  all  persons  located  inside  the 
bubble. 


9.2.2.A  UNIQUE  DESIGN 


♦ 
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Current  architecture  of  our  systems  lies  on  a unique  14  simultaneous  band  radio  transmitter 

Modular  system:  the  system  is  divided  into  14  different  bands  to  allow  best  coverage  of  Jamming 
and  also  in  case  of  potential  malfunction  of  one  channel,  redundancy  trough  the  other  channels.  If 
needed  new  bands  can  be  covered  on-demand  by  adjunction  of  a new  15th  transmitter. 

20  MHz  to  2.500  GHz  spectrum  coverage: 

o Full  jamming  coverage  from  20  MHz  to  1.030  GHz  in  8 Bands, 
o 6 additional  bands  for  pagers,  GSM,  DCS,  UMTS,  Mobile  satellites  and  ISM  Band. 

Microprocessor  and  Databus  Controlled:  All  functions  are  completely  microprocessor  controlled. 
Information  is  send  to  the  amplifiers  through  a proprietary  DATABUS.  Securization  of  data 
exchanges  exists  on  the  DATABUS  between  the  2 racks  and  the  Control  Box. 

Auto  Protection:  All  band  Frequencies  are  protected  against  Overheat.  SWR  is  permanently 
analysed  and  controlled  in  Real-Time  during  Jamming  to  protect  all  electronic  components. 

Additional  Power  Source:  an  additional  Alternator  completely  controlled  by  an  Electronic  Control 
Unit  is  installed  in  the  truck  to  supply  maximum  Energy  (up  to  5KW)  to  the  Jamming  System 
without  reducing  the  capacities  of  the  vehicle.  Use  of  high  density  Batteries  give  total  autonomy  to 
the  Jamming  system  without  relying  on  the  Truck  Batteries 


High  Gain  Antennas:  Each  Antenna  is  developed  specially  for  each  Band  Frequency  to  give  the 
best  results  of  Jamming  in  ALL  DIRECTIONS  (Wide  Band  Omni  Directional  Antennas) 
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9.2.3. Specific  features 

9.2.3.1.20  MHz  TO  2.500  GHz  SPECTRUM  COVERAGE 


Start-up  20  MHz 


1.100  MHz 


Stop  2500  MHz 


MultiBand  Frequencies 
Mixed  Band  Frequencies 
Radio  Remote-Control 
Pagers 

GSM  900  Mobile  Phones 

Satellites  Mobile  Phones  1500/1600  Thuraya  / Inmarsat  / Iridium 
DCS  1S00  Mobile  Phones  / DECT  13S0/1900  wireless  telephone 
PCN  1900  Mobile  Phones 
UMTS  2130  Mobile  Phones 

ISM  Band  + Video  +Bluetooth  + WIFI  2.4  GHz  + Globalstar 


9.2.3.2.2.5  GHz  AND  BEYOND  COVERAGE-  WIFI  5.1  GHz  - WIMAX  2.8  GHz  AND  3.7  GHz 

Customer  may  decide  to  extend  the  bands  to  be  jammed.  If  so  new  transmitters  are  either  put  in  lieu  of 
proposed  one  or  added  to  the  existing  14th  bands.  This  option  is  to  be  defined  before  placing  order. 
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9.2.3.3.EASE  OF  USE 

A control  box  is  inserted  on  the  driver  console  to  decide  which  channels  to  trigger.  Some  channels  may  be 
left  opened  to  allow  for  communication  while  blocking  others. 


9.2.3.4.  Modular  and  Upgradable  Design 


Each  amplifier  is  set  in  an  individual  safe  box,  rack  mounted  in  the  central  system.  Enclosed  picture  illustrate 
the  additional  channels  left  available  for  product  optimization. 
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9.2.3.5.DETAILS  OF  STANDARD  CHANNEL  PROTECTION 


Distinction  is  made  in  consumption  if  it  used  in  a Defensive  (Blue)  or  Offensive  (Yellow)  Mode 
Grey  Shaded  Area  illustrates  the  bands  allocated  to  mobile  terrestrial  or  satellite  communication. 


# 

Band 

Frequency 

MHz 

Target 

Peak  in 
Offensive 
Mode 

Peak  in 
Defensive 
Mode 

Voltage 

Offens.  Current  / 
Power 

Modulation 

1 

20  - 40 

Radioco 

200 

200 

12 

pm 

complexe 

16,4  A 

- 200  W 

2 

40  - 80 

Radioco 

200 

200 

12 

PTT 

FM  - PAM 

12 

15,5  A 

186  W 

complexe 

3 

80  -100 

Radioco 

220 

220 

12 

KifUYi 

FM  - PAM 

12 

14,5  A 

175  W 

complexe 

4 

100  -200 

Radioco 

220 

220 

12 

BDH3 

MUYJ 

FM  - PAM 

12 

16,5  A 

195  W 

complexe 

5 

145  - 170 

PAGERS 

190 

190 

12 

nsr 

complexe 

6 

200  - 400 

Radioco 

160 

140 

12 

EET7 

kfhi'.'i 

FM  - PAM 

12 

19  A 

230  W 

complexe 

7 

400  - 600 

Radioco 

105 

105 

12 

BE 

FM  - PAM 

12 

8,5  A 

105  W 

complexe 

8 

600  - 800 

Radioco 

85 

85 

12 

FIT? 

kIMVj 

FM  - PAM 

12 

io  4 

120  W 

complexe 

9 

800-  1000 

Radioco 

85 

85 

12 

OEJEE 

khhiVi 

FM  - PAM 

9 A 

105  W 

complexe 

24 

(EM'.'i 

FM  Mode 
FSM 

10 

925  - 960 

GSM 

40 

- 

12 

175  V| 

11 

1500  - 1630 

Satellite 

12 

- 

12 

EEE 

PfiTTj 

FM  Mode 
FSM 

12 

1805  - 1990 

DCS 

35 

- 

24 

ESC 

FM  Mode 
FSM 

12 

6,5  A 

75  W 

24 

EXE 

FM  Mode 
FSM 

13 

2000-  2200 

UMTS 

15 

12 

6 A 

60  W 

FM  Mode 
FSM 

14 

2300  - 2500 

ISM 

15 

- 

12 

!^TT7  Kwmvi 

/ i 


- 


SUMPTION  IN  DEFENSE  MODE  : 


TOTAL  CONSUMPTION IN  OFFENSIVE  MODE: 


3200  Watts  (arrondi 


2000  Watts  (arrondi) 
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9.2.3.6.POWER  CONSUMPTION 


The  power  peak  indicated  for  each  mode,  offensive  or  defensive  are  about  the  same  value.  Nevertheless,  the 
differences  between  these  two  modes  are  related  to  the  type  of  modulation.  In  defensive  mode,  the  width  of 
pulsate  is  significant.  The  consumption  of  energy  is  high  for  a power  RF  overall  identical  to  that  of  the 
offensive  mode  (with  narrower  pulsate  mode). 

The  overall  consumption  of  the  system  takes  into  consideration  the  consumption  of  the  drawers  and 
appendices  of  the  system.  It  is  globally  higher  than  3KVA. 

9.2.3.7.PERSONNEL  PROTECTION 

In  order  to  fully  protect  the  driver  of  the  car  and  its  passengers,  the  system  is  equipped  with  a Faraday  Cage, 
as  shown  on  picture.  On  top  of  it,  all  cables  are  ultra  low  loss  cable,  wrapped  by  a unique  metallic  clothe 
(proprietary  design). 


9.2.3.8.High  Gain  Antennas 


All  antennas  are  located  on  the  roof  of  the  car,  under  a discrete  shield.  Each  one  addresses  a specific  band. 


9.3.PLANNING 
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After  approval  for  exportation,  the  delivery  will  be  within  7 months  for  the  first  car,  1 per  month  after. 

9.4.TECHNOLOGY  TRANSFER 


In  order  to  get  full  autonomy  and  independence,  we  suggest  that  after  delivery  of  the  two  car,  other  vehicles 
be  assembled  in  a local  facility  that  we  would  open  in  Libya,  Tripoli.  Possible  supervision  by  Libyan  staff, 
essential  for  full  confidence  in  system,  is  possible. 

Electronic  equipment  would  remain  assembled  in  France  in  our  facilities,  and  shipped  to  Libya  for  final  car. 
Mounting.  This  option  is  to  be  decided  by  Libyan  government. 
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10.DATA  AND  COMMUNICATION  PROTECTION:  PASSPORT  NETWORK 

10.1.YOUR  SYSTEM,  DESCRIPTION  OF  EXISTING  ARCHITECTURE 

You  will  find  below  your  existing  architecture: 


In  this  network  architecture,  there  is  a main  site  with  a data  base  centralizing  all  the  information  relative  to 
passports  and  an  application  server.  There  are  also  37  points  located  all  over  the  country.  These  points  are  for 
example  placed  in  the  airport,  in  the  harbours  or  at  the  border.  In  each  point  you  will  find  a 28.8  kbps 
modem,  a router  and  a switch.  The  routers  are  Xyplex  Network  3000.  The  modems  are  Multitech  Modem. 

Each  point  is  linked  to  the  central  site  with  dial-up  connection  and  the  computers  on  the  site  can  exchange 
information  with  central  database,  to  update  it  for  example.  The  data  rate  is  28.8  kbits/s. 
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25  points  are  equipped  with  maximum  2 computers  and  the  other  12  points  have  from  4 to  20  PCs.  The 
details  of  these  points  are  presented  below: 

• Tripoli  Airport:  20  PCs 

• Tripoli  Harbour:  4 to  5 PCs 

• Tripoli  (others)  : 4 PCs 

• Benghasi  Airport : 10  PCs 

• Benghasi  Harbour  : 3 to  4 PCs 

• Tunisia  Border  Line  (2  points):  3 + 2 = 5 PCs 


Crypto-Tunnel  Point  to  Point  is  a software  solution  designed  to  establish  an  encrypted  communication 
tunnel  between  two  or  more  remote  office.  This  tunnel  uses  existing  physical  network,  such  as  Internet,  and 
its  purpose  is  to  secure  all  data  flows  transmitted  between  different  sites  of  the  same  company. 
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1 0.3.2.GENERAL  FEATURES 

Strong  authentication  by  ECC  signature  - Unique  in  the  world 

Thanks  to  a key  exchange  protocol  based  on  Elliptic  Curve  technology,  Crypto-Tunnel  increases  drastically 
the  security  of  the  authentication  process. 

Elliptic  Curve  technology  offers  the  most  powerful  cryptographic  protections  nowadays  for  a few 
reasons: 

Due  to  new  ECC  mathematical  models,  classical  ways  used  to  break  RSA  or  DSA  algorithms  do  not 


Computing  time  with  elliptic  curves  decreases 

Elliptic  curve  keys  use  less  memory  compared  with  RSA  keys  for  the  same  strength  of  protection. 
For  instance,  encrypting  with  a 128  bits  key  ECC  is  as  strength  as  a 1024  bits  key  RSA.  Thus,  ECC 
suits  very  well  smart  cards  needs  or  weak  memory  environments 

Compliant  with  European  and  international  norms . 

Crypto-Tunnel  is  in  accordance  with  European  and  international  standards,  relative  to  IT  security  which 
guarantee  compatibility  and  upgradeability  of  its  solutions:  digital  certificate  in  X509  V3  for  authentication, 
signature  with  elliptic  curves  (ECDSA)  . . . 


1 0.3.3. Specific  features 

10.3.3. I.Crypto WALL  Crypto-Tunnel  Point  to  Point 

Crypto  WALL  Crypto-Tunnel  Point  to  Point  offers  a high  level  of  security  to  interconnect  distant  offices 
and  business  partners  by  creating  a secure  tunnel  through  Internet  independent  from  the  physical  media 
crossed:  Ethernet,  WIFI,  Bluetooth,  IRDA,  ...  Thanks  to  this  software,  data  are  always  encrypted  on  the 
network,  and  cannot  be  read.  A hacker  can  never  intercept  critical  data  from  your  company.  You  work  with 
optimal  security. 

No  specific  configuration  is  required  and  the  system  is  transparent  for  users.  Each  user  keeps  his  or  her  usual 
working  comfort.  Crypto-Tunnel  Point  to  Point  provides  secure  use  of  all  standards  applications:  Mail, 
Internet,  voice  communication,  Videoconference  or  any  other  dedicated  application.  The  system  provides 
secure  exchange  of  any  type  of  critical  data  and  protects  integrity  of  the  company  data. 

Crypto-Tunnel  acts  as  a firewall  to  prevent  any  kind  of  intrusion 

Whatever  encryption  algorithm  chosen,  Crypto-Tunnel  Point  to  Point  features  an  intrusion  detection 
technology.  It  makes  your  server  more  secure  and  insensitive  to  attacks  like:  Man-in-the-middle,  rebound 
attacks,  Spoofing,  Flooding,  etc. 

The  main  Crypto  tunnel  server  located  in  the  central  office  is  a “super”  server  enabled  to  communicate  with 
all  the  distant  remote  office  server. 
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10.3.4.THE  NEW  ARCHITECTURE 

To  protect  all  your  data  transmission  between  the  sites,  we  will  install  the  Crypto-Tunnel  technology  in  each 
site  (remote  and  central). 

You  will  find  the  new  network  architecture  below: 


The  installation  of  the  solution  will  be  very  easy,  because  it  consists  in  the  insertion  of  our  encryption- 
decryption  Crypto-Tunnel  server  in  your  existing  architecture  between  the  switch  and  the  router.  That  is  to 
say  that  you  need  38  (37  remote  offices  + 1 central  site)  Crypto-Tunnel  Point  to  Point  servers. 

On  each  site,  the  Crypto-Tunnel  server  is  authenticated  to  the  central  server,  so  that  no  one  can  use  the 
secured  transmission  without  authorisation.  This  authentication  is  done  with  a smartcard.  Each  Crypto- 
Tunnel  server  disposes  of  a unique  smart  card. 

The  entire  securization  will  not  imply  any  modification  in  your  network,  it  will  remain  easy  to  deploy  and 
easy  to  use.  After  deployment,  you  will  continue  working  with  the  same  software  as  before.  The  securization 
layer  will  be  transparent  for  end  users.  They  will  keep  all  their  working  comfort,  without  changing  any  of 
their  habits. 
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10.4.SECURIZATION  OF  EACH  PC:  PC  PROTECT 

PC-Protect  is  a software  solution  allowing  the  creation  of  safe  boxes  on  your  computer  or  external  drives. 
With  this  software  and  with  your  smart  card,  you  will  create  volume  (seen  in  Windows  as  virtual  local 
drives)  that  only  you  will  be  able  to  open.  The  volume  is  encrypted  by  your  personal  key  stored  in  your 
smart  card  and  decrypted  in  real-time  when  you  need  to  access  to  the  confidential  information. 
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1 1 .TECHNICAL  SUPPORT 


To  assure  full  success  in  the  implementation  of  this  program,  we  will  implement  locally  a team  of  two 
project  manager,  one  for  protection  programs  ( encryption,  etc)  and  one  for  interception  programs  (e-mail, 


They  will  work  in  Tripoli  and  interface  with  the  customer  to  prevent  any  problems  or  difficulty  that  may 
arise  during  the  implementation  program. 

They  will  be  assisted  by  a team  of  6 Libyan  engineers  selected  by  the  customer  (and  paid  by  him)  and  will 
train  them  on  the  various  technical  aspects  required  by  the  programs. 

On  top  of  these  two  engineers,  a team  of  3 others  will  work  in  France  and/or  Libya  on  the  GSM  programs 
mentioned  in  §7  in  order  to  develop  the  adequate  software  and  hardware. 


GSM,  ...) 


